Kubernetes, the extensible, open-source platform that accelerates app development by managing containerized workloads and services, is growing in popularity. But as it does, there are rising concerns about how to secure the cloud-native apps being developed and the underlying Kubernetes infrastructure. Increasingly, organizations are looking to DevSecOps to address this issue.
Some of the concerns stem from the fact that when deploying Kubernetes from open source, none of the security controls are configured. It’s up to you to figure out how they work. There’s also a lack of built-in security in Kubernetes to ensure the containers and code running on the cluster are safe.
There are a variety of security best practices specific to Kubernetes ─ and containers in general ─ that can help secure the clusters and workloads. They all should be incorporated.
However, adopting a DevSecOps approach to cloud-native app development, including its use of Kubernetes, not only addresses specific security issues. It also creates a culture in which security is a priority throughout the entire application development lifecycle.
DevSecOps stands for development, security, and operations. It’s an approach that integrates security as a shared responsibility among all project teams throughout the entire app development lifecycle. It also means thinking about app security from the start. Security is no longer something that gets integrated at the last stages of app development.
That’s why it’s essential that security teams and any partners should be brought in at the beginning of cloud-native app development projects. It enables them to build in information security and agree on a security automation plan before a project progresses.
Collaboration and communication are critical. For example, development teams need to code with security in mind. And security teams need to share visibility, feedback, and insights on known threats.
DevSecOps also entails automating security gates to keep the DevOps workflow from slowing down. Selecting tools to continuously integrate security, like agreeing on an integrated development environment (IDE) with security features, can help.
Not surprisingly, DevOps forms the foundation for DevSecOps. For example, DevOps practices use standardization to accelerate collaboration and interaction between project teams. DevSecOps capitalizes on this, seeking opportunities to streamline workflows and consolidate tooling for security functions. By aligning security with the familiar, standardized abstractions and tooling already used by DevOps teams, DevSecOps makes it easy for all teams to do their part to mitigate potential security issues.
For example, Kubernetes employs a robust object and resource model with concepts such as deployments and replica sets. They’re the primary way that pods, the smallest unit of computing in Kubernetes, are deployed. Developers and operations engineers already use these Kubernetes abstractions. It makes sense that security teams should align with them as well instead of creating a custom framework.
Basing security functions, such as configuration management and runtime detection, on existing Kubernetes objects and resources also enables all team members to have a consistent understanding of security issues. It fosters greater cross-team alignment and simplifies the Kubernetes learning curve for teams.
While transitioning to a DevSecOps culture from DevOps requires a change in how security is viewed, there are also tactics that are helpful specifically for integrating DevSecOps practices in Kubernetes environments.
The first step is to focus on how apps are built. And, not surprisingly, to make security a part of the process early on. Apps built using monolithic architectures are typically subject to updates, patches, and manual changes while running in production. However, in cloud-native environments, developers and DevOps teams rebuild and redeploy containers while treating running them as immutable. As such, the supply chain serves as a centralized place for applying all changes.
By securing the supply chain, containerized apps are better protected before being deployed into production. Because the supply chain is where DevOps methodologies are typically applied, it’s an easy place to start extending DevOps practices to DevSecOps practices.
Security teams can use this to their advantage for protecting cloud-native apps. One of the ways to improve security for Kubernetes environments is to avoid letting app vulnerabilities be introduced into production environments. By incorporating container image scanning into CI/CD pipelines, teams can enable the identification of OS and language-specific vulnerabilities in the app images.
There are many other ways to use DevSecOps to improve security across the supply chain. That includes using immutable tags to track specific images that are used to deploy containerized applications. Unnecessary tools and components in images can also be removed. And development teams can make sure that secrets aren’t embedded in images.
Yet another tactic – using an Infrastructure as Code (IaC) model to create a “Security as Code” approach. DevOps teams often use an IaC model based on interfacing with declarative APIs to ensure configurations are specified upfront and implemented consistently across environments. This is typically used for provisioning cloud infrastructure, configuring cloud services, setting up recurring API interactions, and other workflows.
Extending the IaC model to include security functions, in essence, enables a Security as Code approach. It facilitates proactive, automated, and repeatable security control configuration across apps and infrastructure. This works particularly well for Kubernetes environments since most are comprised of multiple clusters that may or may not be provisioned across multi-cloud or hybrid cloud environments.
Teams have to determine how to securely and consistently configure the clusters when the infrastructure is provisioned and the apps deployed. That’s not always easy, given that significant differences exist between Kubernetes platforms. Some expose weaknesses by including and deploying the Kubernetes dashboard. Others only support older Kubernetes versions that contain known vulnerabilities. Still, others have weak authentication and authorization, along with network traffic restrictions. A DevSecOps approach can handle these differences and ensure consistent security.
Dealing with the security issues associated with Kubernetes doesn’t have to be difficult. That’s particularly true if development teams take advantage of the wide variety of available tools and best practices. However, implementing a DevSecOps approach provides an extra layer of security. And it establishes a way of thinking about security that can benefit app development in general.
Mikhail Ruchkin is the Director of Information Technology and Security at ClearScale.